﻿'Open the database library for commands
Imports System.Data.OleDb

Public Class addHotel
    Inherits System.Web.UI.Page

    Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load

      

    End Sub

    Protected Sub btn_addHotel_Click(ByVal sender As Object, ByVal e As EventArgs) Handles btn_addHotel.Click

        'Randomnly generate a filenam by creating a GUID object        '
        Dim myGUID As New System.Guid

        'Stop it creating a load of zeroes a generate an actual GUID
        myGUID = Guid.NewGuid

        'Turn this GUID into a string and add the jpeg file extension to make a unique file name (but what if it was a .gif or .tiff etc?)
        Dim newFileName = myGUID.ToString() + ".jpg"

        'Check to see if the picture file has been added for upload
        If f_picture.HasFile Then

            'Find the pictures folder and save the image there using its randomnly generated filename
            Dim picLocationOnServerHardDisk = Request.MapPath("pictures") & "/" & newFileName
            f_picture.SaveAs(picLocationOnServerHardDisk)

        End If

        'Create database connection (can view connection string name form web.config)
        Dim oleDbConn As New OleDb.OleDbConnection(ConfigurationManager.ConnectionStrings("hotelsConnectionString").ConnectionString)

        'Create the sql string that will be used to add records to a database Syntax - "Insert into tablename(list of fields sperated by commas) values (list of values (aliases))"
        Dim SqlString As String = "Insert into hotellist(HotelName,Location,Stars,Description,contactDetails,Picture,HotelUrl,Traveller) Values (@f1,@f2,@f3,@f4,@f5,@f6,@f7,@f8)"

        'Protect against sql injection attacks such as mass deletion or destruction of database
        Dim cmd As OleDbCommand = New OleDbCommand(SqlString, oleDbConn)
        cmd.CommandType = CommandType.Text
        cmd.Parameters.AddWithValue("@f1", tb_hotelName.Text)
        cmd.Parameters.AddWithValue("@f2", tb_location.Text)

        'Make this one select the value from a radio button list
        cmd.Parameters.AddWithValue("@f3", rbl_Stars.SelectedValue)
        cmd.Parameters.AddWithValue("@f4", tb_description.Text)
        cmd.Parameters.AddWithValue("@f5", tb_contactDetails.Text)

        'Make this one a file upload file going to the 'Pictures/' folder using its GUID file name
        cmd.Parameters.AddWithValue("@f6", "pictures/" & newFileName)
        cmd.Parameters.AddWithValue("@f7", tb_hotelUrl.Text)

        'Add the user's name
        cmd.Parameters.AddWithValue("@f8", User.Identity.Name)

        'Open the database connection
        oleDbConn.Open()

        'Don't read anything, just run a command
        cmd.ExecuteNonQuery()

        'Redirect the user to the confirmation page
        Response.Redirect("confirmation.aspx")

    End Sub
End Class